Endpoint Detection and Response (EDR) has replaced traditional antivirus as the minimum-viable endpoint security control for any organization that takes security seriously. The shift reflects a fundamental change in the threat landscape: modern attackers do not rely on malware with known signatures. They use living-off-the-land techniques — PowerShell, WMI, certutil, built-in OS tools — that antivirus cannot detect because there is no malicious binary to scan. EDR addresses this by monitoring behavior, not signatures.
This guide covers the EDR landscape, how to evaluate platforms, deployment challenges, evasion techniques modern EDR must address, and considerations for OT environments.
EDR vs. AV vs. EPP: Understanding the Distinction
Traditional Antivirus (AV) operates on signature matching: it maintains a database of known malicious file hashes and byte patterns and blocks files that match. It is effective against commodity malware with known signatures but blind to novel malware, fileless attacks, and legitimate tools used maliciously.
Endpoint Protection Platform (EPP) extends AV with additional preventive controls: application whitelisting, exploit prevention, device control, web filtering. EPP focuses on prevention — stopping malicious execution before it occurs. It does not provide visibility into what an attacker does after a prevention failure.
Endpoint Detection and Response (EDR) focuses on behavioral monitoring and forensic visibility. An EDR agent continuously records process creation, network connections, file system activity, registry modifications, memory operations, and user account actions. When a detection fires — based on behavioral rules, machine learning models, or threat intelligence correlation — the EDR surfaces an alert with full attack chain context: the parent process, the command line arguments, the network connections made, the files written. This context is what enables rapid investigation and response.
Key EDR capabilities that distinguish mature platforms:
- Process injection detection: Identifying when one process injects code into another — the technique underpinning most post-exploitation frameworks (Cobalt Strike, Metasploit). Detection mechanisms include monitoring for
CreateRemoteThread,NtWriteVirtualMemory, andVirtualAllocExAPI calls. - LSASS protection: The Local Security Authority Subsystem Service holds hashed and sometimes cleartext credentials in memory. Protecting LSASS from read access prevents credential dumping attacks (mimikatz). Modern EDR blocks
MiniDumpWriteDumpcalls targeting LSASS. - Ransomware rollback: Volume Shadow Copy integration and file activity monitoring enable some EDR platforms (SentinelOne Singularity is the best-known example) to automatically roll back file changes made during a ransomware encryption event.
- Threat hunting: EDR platforms expose their telemetry through a query interface. SentinelOne uses PowerQuery, CrowdStrike uses Falcon Query Language (FQL), Microsoft Defender uses KQL (Kusto Query Language). Threat hunters use these to proactively search for indicators of compromise across historical data.
Major EDR Vendor Overview
A word on vendor comparisons: MITRE Engenuity's ATT&CK Evaluations test endpoint products against real adversary techniques in open, transparent conditions — but MITRE deliberately publishes no scores, rankings, or per-vendor detection rates. It releases raw per-technique detection data so buyers can weigh coverage against their own priorities (MITRE Engenuity ATT&CK Evaluations methodology). Treat any single "winner" percentage with skepticism; we help regulated firms read that raw data in the context of their threat model rather than relying on a headline number.
CrowdStrike Falcon
CrowdStrike is the market leader by revenue and consistently top-ranked in MITRE ATT&CK evaluations. The Falcon platform is cloud-native — agents report telemetry to CrowdStrike's cloud, with no on-premise management infrastructure required. CrowdStrike markets it as a single lightweight agent covering Windows, macOS, and Linux. Falcon Complete is CrowdStrike's MDR service wrapping the platform with 24/7 SOC coverage. CrowdStrike's published self-service list pricing is $59.99 per device per year (Falcon Go), $99.99 (Falcon Pro), and $184.99 (Falcon Enterprise), with the Elite tier and the Falcon Complete MDR service quoted on request (CrowdStrike pricing pages, 2026). Note: the July 2024 incident (faulty content update causing 8.5 million Windows BSODs — CrowdStrike CVE not applicable, this was a quality control failure) highlighted the operational risk of automatic kernel-level updates.
SentinelOne Singularity
SentinelOne differentiates on autonomous response — the agent can automatically quarantine, kill, and rollback without requiring cloud connectivity or SOC analyst intervention. This makes it particularly resilient in air-gapped or low-connectivity environments. The Singularity platform includes SentinelOne's ransomware/breach-response warranty of up to $1 million per company ($1,000 per affected endpoint per 12-month subscription) for covered incidents on properly configured Windows endpoints (SentinelOne, '$1 Million Cyber Threat Protection Warranty'). Strong Linux and container support. SentinelOne publishes annual per-endpoint list pricing of roughly $70–$230 depending on tier — Core $69.99, Control $79.99, Complete $179.99, Commercial $229.99 — with Enterprise quoted directly and volume discounts applied at scale (SentinelOne Platform Packages, sentinelone.com/platform-packages).
Microsoft Defender for Endpoint (MDE)
For organizations heavily invested in Microsoft 365, MDE provides strong value through native integration with Azure AD, Intune, and Microsoft Sentinel. It is included in Microsoft 365 E5 licensing, making the marginal cost zero for E5 subscribers. MITRE ATT&CK evaluation performance has improved significantly in recent cycles. Weakness: Windows-only full capability — macOS and Linux coverage is materially weaker than CrowdStrike or SentinelOne.
Palo Alto Cortex XDR
Cortex XDR extends EDR to network and cloud telemetry, correlating endpoint events with firewall logs, cloud audit trails, and email security findings. Best suited for organizations standardized on Palo Alto's network security stack. The behavioral analytics engine is strong, and the XQL (XDR Query Language) is expressive for threat hunting.
EDR Evasion Techniques and How Modern EDR Addresses Them
Sophisticated threat actors invest significant effort in evading EDR. Understanding evasion techniques is essential to evaluating EDR effectiveness:
- BYOVD (Bring Your Own Vulnerable Driver): Attackers load a legitimate but vulnerable kernel driver (e.g., RTCore64.sys, used in the Lazarus Group's Operation In(ter)ception) to execute code at kernel privilege, allowing them to disable or blind the EDR agent. Modern EDR addresses this through Microsoft's Vulnerable Driver Blocklist and driver signature enforcement. CrowdStrike and SentinelOne both maintain their own blocklists.
- Sleep obfuscation: Shellcode encrypts itself in memory while sleeping, defeating memory scanning that looks for known shellcode patterns. Cobalt Strike's Ekko and Foliage sleep obfuscation techniques exemplify this. EDR counters this by monitoring memory allocation patterns and thread context rather than scanning static shellcode signatures.
- Process hollowing: A legitimate process (e.g., svchost.exe) is spawned in a suspended state, its memory unmapped, and malicious shellcode written into the vacated address space before resuming. EDR detects this through API call sequence monitoring and memory integrity checks.
- Direct syscalls: Bypassing user-mode API hooks by calling Windows kernel syscalls directly using syscall instruction sequences rather than going through ntdll.dll (which EDR hooks). Modern EDR addresses this with kernel-level telemetry collection that does not rely solely on user-mode hooks.
Deployment Challenges
EDR deployment is not plug-and-play at enterprise scale:
- Incompatible kernel drivers: Some legacy security tools and industrial software use kernel-mode components that conflict with EDR agents. Thorough compatibility testing in a staging environment before production rollout is mandatory.
- Performance impact: Lightweight EDR agents typically run at a low single-digit percentage of CPU during normal operation — Huntress, for example, expects its agent to use 1–5% CPU, rising to 5–10% during a scan or survey (Huntress Support, 2026) — though usage can spike during full disk scans or high file-write-rate operations. Benchmark in your environment before committing to a vendor.
- Alert volume: An untuned EDR platform generates enormous alert volumes — thousands of daily alerts for an enterprise — that overwhelm SOC analysts. Initial tuning (whitelisting known-good software, suppressing noisy detections, configuring exclusions for AV-scanning paths) requires 2–4 weeks of dedicated effort.
EDR for OT/Industrial Environments
Operational Technology environments present unique constraints: legacy Windows XP/2003 systems that cannot run modern agents, real-time control requirements that make behavioral blocking dangerous, and air-gapped networks that prevent cloud-delivered updates. Purpose-built OT security platforms (Claroty, Dragos, Nozomi Networks) provide passive network monitoring as an alternative. Where EDR agents can be deployed on OT-adjacent IT systems (historian servers, engineering workstations), CrowdStrike and SentinelOne both support compatibility modes that disable preventive actions while retaining telemetry collection.
Fortress MSSP provides managed EDR services including deployment, tuning, and 24/7 alert triage. Contact us to discuss EDR deployment or a platform migration assessment.